Re: [DNSOP] some 2015-era thoughts about RFC 7706 -bis
Shumon Huque <shuque@gmail.com> Thu, 25 July 2019 15:15 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EA411201D1 for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2019 08:15:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_ymIhqr5Tyr for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2019 08:15:35 -0700 (PDT)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF70D1202AF for <dnsop@ietf.org>; Thu, 25 Jul 2019 08:15:35 -0700 (PDT)
Received: by mail-ot1-x32b.google.com with SMTP id z23so23666572ote.13 for <dnsop@ietf.org>; Thu, 25 Jul 2019 08:15:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=smxyPXBe5oUi/1Eyu0BEf6bEtKDJPAlALBzzX355beA=; b=WRCZIyBmq856f7851NIrQTj9GRVaIfu/Xyti6cNPOro8+1kKAIU6K8j5otHAVpvR5H OWOf7YMIQcwUwfNgUGThTWXVXX8PX9SfEIHD/WyJbcpNob2wkCoC6kGzZCxL3iEC/DFG EcsfIcGgXJwEy4nvNZ6TJkMb2ZRNZInOW6WPb2m+bbdjZrW1unSoJUiN0A+au1PJIso4 8xyXzePsKpV1EQPX3urvOGQpZFwpGts5UVKofXRFTADMSUjLRXTHve9fUcX+z6P5ebaO kJPJwEGsnktkjdeq2BiMG3PRUytGPdiE4907x6SB08czI9vn3mdpjDZT2fi0xh+tioH7 PLdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=smxyPXBe5oUi/1Eyu0BEf6bEtKDJPAlALBzzX355beA=; b=SbT0ZFpwulPxp/8m0tFrEpOz3FOGHkEqbnspW/UOQzkBwTCdaMgY7BbOECOqH1f64o AxtcY1hD+EliPbFHfOMylFnnw3WwgtsiqgYCp8Wg/15sqmaYPBSJjf9JHvxoNU2lfa2D dusgnREoy6sNajuRQAMBt2eRLoLkVNLb6jwfkIn0VH+7RLxxp3vQrlBl+oddjFrAXR7i 8yjPGa9bTsOmHMPfG6W+Fcd2XBBOi+HkNUVrjF4chVkFrxikJhFj0eRLjjn25BqzmjJr 1Og1PpUE2+R2f0iK48vyIGqwSkD6RNAV2+BFQsppuK7Q4MJg1hkpoA21Xpo4uOduYoNp ekRA==
X-Gm-Message-State: APjAAAXHD7kTIfuKdiEJwMTxObXLxg1j198gTykhgcgjM12cH9sylBxl 6WCwH3O/bk58FFYGXOFmN5NOGmzzr4DE7l9cyUDseXYjpT8=
X-Google-Smtp-Source: APXvYqyWBlaWGgCtjZNs+YL+O4CQZ4K7Ityl+5NmDQz3t1Iw3OlHxf+SLz5HYRie0lBSz7c+MBR1gqhMcZ1fi/6F/vg=
X-Received: by 2002:a9d:73c4:: with SMTP id m4mr39077788otk.369.1564067734959; Thu, 25 Jul 2019 08:15:34 -0700 (PDT)
MIME-Version: 1.0
References: <3673081.H4C9ml97Qf@linux-9daj> <20190725054450.GC92610@isc.org>
In-Reply-To: <20190725054450.GC92610@isc.org>
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 25 Jul 2019 11:15:22 -0400
Message-ID: <CAHPuVdWTJqKQxQT=H2N9vqyfTTu78M+P+sYKGqq1u0_=UZfwrg@mail.gmail.com>
To: Evan Hunt <each@isc.org>
Cc: Paul Vixie <paul@redbarn.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bf3a97058e82e51b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0nbe-RrHQM6rMqxOUzACJlfKIpA>
Subject: Re: [DNSOP] some 2015-era thoughts about RFC 7706 -bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 15:15:38 -0000
(I'll ignore the question of the cost/benefits of running a local root copy for now and just focus on the technical topic below). On Thu, Jul 25, 2019 at 1:45 AM Evan Hunt <each@isc.org> wrote: > > Third, and more pertinently, this work may have spin-off benefits. I've > thought for a long time that a mechanism to use DNSSEC to validate zone > transfers would be a useful addition to BIND. While that feature, per se, > still doesn't exist, the mirror zone developemnt invovled writing a lot the > code that's needed for it, and I expect it to exist fairly soon. So I don't > think 7706 will have been a waste of time even if it turns out not to have > been particularly effective at its original use case. > Evan, Can you elaborate on how you plan to do this? One of the things that has always annoyed me about RFC7706 (and its successor I-D) is that it offers no suggestions on how to validate that you got a correct copy of the entire root zone. The example configurations given in the appendix are all insecure - they rely on unauthenticated zone transfer. The one example that is likely secure is the one given for the Knot resolver, but that's because it is decidedly not using 7706, and instead uses cache prefill from a root zone copy located at a well known HTTPS authenticated destination. If an operator using 7706 is targeted by a glue spoofing attack, then it will likely require manual intervention of the resolver operator to recover. Whereas without 7706, I assume robust resolvers may be able to recover by themselves by retrying other root servers, if they can determine that they were directed to bogus servers in the case of signed child zones. If you plan to use DNSSEC to validate the zone, I assume you might be thinking of either (1) signed ZONEMD, although that does not exist yet for the root zone, or (2) proposing to re-design child NS and glue records so that they can be signed. But perhaps there are other ways that I haven't thought of. Recall that there have been extensive discussions on this topic during the initial debate on ZONEMD, which I won't rehash here. But I want to note that there is now a draft on XFR over TLS, which may offer a new channel protection possibility to address this issue (assuming it makes progress, and there is implementation interest on the part of root zone operators). Shumon Huque
- [DNSOP] some 2015-era thoughts about RFC 7706 -bis Paul Vixie
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Brian Dickson
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Tony Finch
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Evan Hunt
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Paul Vixie
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Vladimír Čunát
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Shumon Huque
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Evan Hunt